Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
The Internet Security

Fizzer Worm Uninstalling Itself 450

boredMDer writes "According to a recent update on the Dshield.org mailing list, apparently the Fizzer Task Force has gained control of the Geocities webpage from which Fizzer updates itself. From an IRC-Security mailing list: 'We have also postted a Fizzer cleaner to the actual URL that the bot downloads its updates from, as a self extracting and running executable.' The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys. Looks like the Fizzer worm will soon come to an end."
This discussion has been archived. No new comments can be posted.

Fizzer Worm Uninstalling Itself

Comments Filter:
  • by lukew ( 528994 ) <woodzy@gmail.com> on Friday May 16, 2003 @07:11AM (#5971431)
    The fizzer worm information minister soon after came forth to announce that the site had in fact not been taken over, and that the fizzer worm was more fertile then ever.
  • by Spad ( 470073 ) <slashdot@Nospam.spad.co.uk> on Friday May 16, 2003 @07:12AM (#5971441) Homepage
    Looks like the Fizzer worm will soon come to an end.

    We're crossing our fingers that the bots are looking for an executable
    to update themselves..


    Well if they're not then the page becomes semi-useless. Although I suppose it will still prevent 'legitimate' updates of the bots.
    • by isn't my name ( 514234 ) <slash.threenorth@com> on Friday May 16, 2003 @08:48AM (#5971980)
      According to a more recent post on dshield:

      To: irc-security@lists.noc.ic5.net, IRC.Admins@ldsn.org
      Reply to: irc-security@lists.noc.ic5.net


      Update: The file has now been removed for "testing".

      I.E. we don't think the code is being executed. :(

      Also, apparently the "update routine" on Fizzer only runs once a day, though that's totally unconfirmed.

      James ('Herbster')

      (Server Admin, irc.ZiRC.org)
  • If you are going to go to the trouble of writing a worm that will update itself automatically, for gods sake, cryptographicaly sign the updates!

    We don't want a repeat of this fiasco...
    • by KDan ( 90353 ) on Friday May 16, 2003 @07:26AM (#5971509) Homepage
      That's not funny, that's just plain true. And a clever worm writer can probably tap into SSL libs in IE or Moz to avoid having to include the whole crypto libs with the worm. So it seems pretty doable. So I'd say this was a lucky strike.

      Daniel
    • by Alethes ( 533985 ) on Friday May 16, 2003 @08:19AM (#5971790)
      What if they were to sign the updates and make the source decentralized by turning every one of the infected boxes into a node on a P2P network from which the worm would get its updates? It seems gaining control of the source would become exponentially more difficult as the worm spread. Not only that, but it would wreak havoc on these P2P networks, as well, and that means even those that are technically savvy enough to not get infected will at the very least be annoyed by the clutter.
  • Full Text of Article (Score:5, Informative)

    by insomnike ( 28288 ) <insomNO@SPAMiol.ie> on Friday May 16, 2003 @07:13AM (#5971446) Homepage
    Just a quick note to say that we (we as in Fizzer Task Force/IRC Unity)
    now control the update page, and have posted a mirror of the
    http://www.debugoutput.com/fizzer.php site on the geocities website that
    fizzer uses to update itself.

    We have also postted a fizzer cleaner to the actual URL that the bot
    downloads its updates from, as a self extracting and running executable.
    We're crossing our fingers that the bots are looking for an executable
    to update themselves..

    We'll keep you updated..

    Regards,

    --
    John McGarrigle
    IC5 Networks
    • by Realistic_Dragon ( 655151 ) on Friday May 16, 2003 @07:35AM (#5971558) Homepage
      How is automatically downloading a antivirus any more legal or ethical than automatically downloading a virus without user permission?

      I applaud the sentiment, but do the ends justify the means? I don't think Joe Slashdotter would be too happy with the idea of enforced antivirus affecting _his_ PC, for example if the government mandated it, because you can be sure that that precident would soon be followed by anti-piracy, anti-crypto, anti-free-speech, anti-everything-else in short order.

      I suppose you could argue that 'we aren't inserting the data ourselves, we just made it available' - but that's little more than sophistry.
      • by Urkki ( 668283 ) on Friday May 16, 2003 @07:40AM (#5971579)
        But this isn't "mandated" in any way. If you have a computer that automatically downloads and executes a file from a URL, then that's *your* problem, isn't it? Especially since there are ways to avoid such things from happening... (Starting with personal firewall that blocks IE from accessing the network, and use some other browser...)
        • But this isn't "mandated" in any way. If you have a computer that automatically downloads and executes a file from a URL, then that's *your* problem, isn't it?

          Yes, but the people who put the file there cannot really claim that they didn't know that the file would be downloaded without the knowlage of computer users onto their machine. They could have just deleted the file.

          Especially since there are ways to avoid such things from happening... (Starting with personal firewall that blocks IE from accessi
          • by Urkki ( 668283 )
            Yes, but the people who put the file there cannot really claim that they didn't know that the file would be downloaded without the knowlage of computer users onto their machine. They could have just deleted the file.

            I guess that would make them liable to pay damages if their removal code did some damage, and doing something like that is sticking their necks out to be chopped off. Which makes them either unselfish and brave, or stupid.

            Too bad there really isn't any "real-world" analogy for this case...

      • by xinit ( 6477 ) <rmurrayNO@SPAMfoo.ca> on Friday May 16, 2003 @08:34AM (#5971881) Homepage
        I still get hits from Nimda and Code Red on my apache server. Plenty of them. I'd be very happy to see those ancient beasties exterminated in just this fashion.

        Sure, it's not ethical on its own to force a download on people... but it is likely MORE ethical than allowing these clueless infected types to continue to infect others.

        If someone's unconcious and bleeding from their head, is it ethical to patch up their head wound without their permission? I'd hope so.

      • by sjames ( 1099 )

        How is automatically downloading a antivirus any more legal or ethical than automatically downloading a virus without user permission?

        Essentially, the same way the fire department has implied permission to save your house and pets should your house catch fire when you are unreachable.

        That is, the worm presents a danger to other people's property (servers) and it's a good bet that anyone having it would sincerely like it to be gone. Anyone who WANTS the worm to remain, AND hasn't isolated it from the

  • wow (Score:5, Insightful)

    by j0nb0y ( 107699 ) <`jonboy300' `at' `yahoo.com'> on Friday May 16, 2003 @07:14AM (#5971448) Homepage
    nice hack.


    Now the computer security community gets to have a big debate over whether this was ethical or not...

  • by bjb ( 3050 ) * on Friday May 16, 2003 @07:14AM (#5971450) Homepage Journal
    Hey Kids! Want to take over thousands of people's machines? Hack Geocities and install your own 3733t "eYe r0K uR w0RlD" binary at this URL! ...

    I can only imagine that this is now the bullseye for hundreds of crackers who want to compromise people's computers. I hope the honest security people who have "taken control" of this page are making sure every few seconds that their true uninstaller program is there, and not someone else's kRaK program.

    • by Ryan Amos ( 16972 ) on Friday May 16, 2003 @07:53AM (#5971653)
      My guess is the fizzer people talked to geocities to gain control of the account. I'd imagine geocities' security is pretty solid, it's NOT hard to secure a box if you REALLY want to. 99.999% of security breaches are from default daemons left on and never updated so the vulnerabilities persist. If you update your software and check your CGIs (the other 0.001% of system breakins come from bad CGIs) for vulnerabilities (as I'm sure geocities has) then you're fine.
  • by Salamanders ( 323277 ) on Friday May 16, 2003 @07:15AM (#5971460)
    ...now control the update page...

    At what point does the vigalante hacking become acceptable when fighting against Something Bad?

    If this worm updated itself from a random group of computers that it had infected (say for exmple, yours), would you mind if they took control of your computer if it meant stopping the worm?
    • by Anonymous Coward on Friday May 16, 2003 @07:20AM (#5971485)
      We now control the update page because a particularly observant FTF member noticed that geocities had deleted the page, and registered it for themselves. No hacking involved.

      Next time try doing a little research (like asking in the IRC channel) before posting.
    • by rillian ( 12328 ) on Friday May 16, 2003 @08:29AM (#5971850) Homepage
      If they do a good job without breaking anything else or causing additional inconvenience I wouldn't mind at all. Would you mind if some stranger came along and pulled the weeds out of your garden? It's like they're doing system administration for free; if their interest and yours is in improving the state of the networks commons, such division of labor is only an efficiency.

      People get concerned about security as an end unto itself, forgetting the real world is messier than that. An excess of control can be as wasteful as a deficit. What's good for the RIAA is good us too. It's never good to be a battleground of course, but ants in the basement are better than roaches in the kitchen. If the one prevents the other, why not?

      Thus we should patch security holes not to keep someone from using a few resources we wouldn't miss, or indeed use in the meantime, but because someone might combine those resources with ten thousand other compromised machines to perform a nuisance attack on another host, or with ten million to do the same to the net at large.
  • *Sigh* (Score:5, Funny)

    by cperciva ( 102828 ) on Friday May 16, 2003 @07:16AM (#5971461) Homepage
    When will people learn that if you're going to download program updates, you should use public-key cryptography to sign the updates?

    If you're going to write a worm, do it right.
  • Quota? (Score:5, Interesting)

    by 42forty-two42 ( 532340 ) <bdonlan AT gmail DOT com> on Friday May 16, 2003 @07:16AM (#5971462) Homepage Journal
    Why isn't the geocities site saying it's 'bandwith exceeded' or something?
  • as a compassionate human being i find this outrageous

    to use the innate homing behavior of a wild natural creature like this virus against it...

    to warp it's natural instincts to find home into the means by which it kills itself displays a craven lack of respect for computer worm/ virus entities

    do not these strange and wonderful beings deserve our respect and encouragement? is there no natural sanctuary of a subnet on which these beautiful beings can live out their imperative to reproduce? unburdened by the ill wishes of mankind?

    is there no compassion on the internet?

    outrageous
  • Nice.. (Score:4, Interesting)

    by Komarosu ( 538875 ) <nik_doof@nikdoofAUDEN.net minus poet> on Friday May 16, 2003 @07:18AM (#5971474) Homepage
    Guess thats another thing worm writers will pick up...dont have autoupdate from a website, without that little "feature" the worm would probably hang around for alot longer.
    • Re:Nice.. (Score:4, Insightful)

      by Loosewire ( 628916 ) * on Friday May 16, 2003 @07:23AM (#5971497) Homepage Journal
      i would say not. I think what most virus writers want to do is get a worm that quickly spreads to everyone. Weather it hangs around is of no importence, so having a way it could be disabled after a reasonable ammount of time (a few weeks) would not be bad for them. Just like game companies only have copy protection so they get huge sales for the first week or so, - they know the protection will be broken but not for a short while afterwards.
  • Fact Checking (Score:5, Informative)

    by Brightest Light ( 552357 ) on Friday May 16, 2003 @07:21AM (#5971494) Journal
    Nicely done, Slashdot!

    Had anybody bothered following the link to the geocities page before posting the story, they would have seen that the file was "removed for the time being, until further testing on Fizzer's update routine can be done." There has been a great deal of argument in #fizzer as to the legality of such things, and I do not believe that the Fizzer Task Force as a whole decided to do anything of that sort.

  • by 42forty-two42 ( 532340 ) <bdonlan AT gmail DOT com> on Friday May 16, 2003 @07:22AM (#5971496) Homepage Journal
    From the F-Secure page:
    The current variant of the worm can uninstall itself if a file with the following name is found in the Windows main directory:


    Uninstall.pky

    When the worm finds a file with this name, it kills all its tasks and removes its registry keys thus disinfecting a system.
    [...]

    To get rid of the worm, it is enough to delete its files from the Windows main directory and from the Kazaa shared folders. Please download and execute the following Registry patch:
    Why not just create the Uninstall.pky file? Seems like it'd be harder for a luser to screw up...
    • by httptech ( 5553 ) on Friday May 16, 2003 @08:45AM (#5971951) Homepage
      Why not just create the Uninstall.pky file? Seems like it'd be harder for a luser to screw up...

      That's actually what the de-fizzer executable was designed to do. Unfortunately, it looks like there are timing/logic issues with the update that haven't been worked out (different threads of the worm are run conditionally, at different times)

      Another vector that people (including myself) are working on is using the "PING" buffer overflow to launch the self-destruct mechanism from the IRC server.

      My submission:

      2003-05-15 16:36:12 Fizzer Worm Self-Destruct Sequence Triggered by Fizzer Task Force (articles,security) (rejected)

  • by andy666 ( 666062 ) on Friday May 16, 2003 @07:30AM (#5971525)
    so i think it is morally wrong to kill them all. who are we to decide which new e-species lives and which dies ?

    (see star trek for more on this topic....)
  • by Anonymous Coward on Friday May 16, 2003 @07:32AM (#5971536)
    I mean seriously, this article just SCREAMED for a title like Fizzer Fizzels Out, or something like that. I don't blame Slashdot, I blame DShield.org for their lack of insight to use good reporting techniques such as headlining...
  • by caffeinex36 ( 608768 ) on Friday May 16, 2003 @07:39AM (#5971575)
    ...didn't get a hold of the Geocities page...Otherwise there would be 120398123 people un-happy with a "free-trial" of Norton AV on thier desktop right now.

    -Rob
  • Great! (Score:3, Funny)

    by varjag ( 415848 ) on Friday May 16, 2003 @07:46AM (#5971619)
    While they are at it, could they also made worm install some simple firewall and anti-viral software at user's marchines?
  • DMCA violation? (Score:4, Interesting)

    by dcavanaugh ( 248349 ) on Friday May 16, 2003 @08:01AM (#5971693) Homepage
    Hmmm... hijacking a web page to interfere with the virus' self-update. Is this an illegal "circumvention" of a "protection feature" in this copyrighted program (regardless of how it's installed)?

    Don't get me wrong; I applaud the efforts of the virus busters; I just figured it was yet another example of unintended DMCA side-effects.
  • by sopuli ( 459663 ) on Friday May 16, 2003 @08:02AM (#5971698)
    Because, if you walk without a rhythm, you won't attract the worm.
  • by Madcapjack ( 635982 ) on Friday May 16, 2003 @08:07AM (#5971721)
    I just google uninstall.pky at 3:06pm Polish time, and I received 28 results. Lets see how fast this info spreads on Google
  • by Sergeant Beavis ( 558225 ) on Friday May 16, 2003 @08:08AM (#5971728) Homepage
    Its nice to see some people just looking to do some good.

  • by Ender Ryan ( 79406 ) on Friday May 16, 2003 @08:13AM (#5971754) Journal
    Am I just being incredibly dense? What are so many here complaining about? How could you possibly consider it to be morally wrong for someone to use a worm's own properties to fight it? People who are "unintentionally downloading and running" this fix were already hacked, and are no longer in control of their machines.

    If someone broke into your house, would you mind if a friendly neighbor quietly quietly followed them in and escorted the intruder out? Or perhaps you'd prefer your neighbor to let the intruder rob you, or whatever they intended to do.

    They also didn't "hack" geocities like some have suggested...

    I dunno, I just don't see anything wrong here.

  • by nurb432 ( 527695 ) on Friday May 16, 2003 @08:51AM (#5971992) Homepage Journal
    Isnt that a violation of the DMCA?

    Sure i agree its a good solutoin, but if they all get sued for it.... no good deed goes unpunished..
  • by MongooseCN ( 139203 ) on Friday May 16, 2003 @08:59AM (#5972036) Homepage
    Next let's take over the MS Update site and put REAL patches on there. Then when the client updates his system, he won't be installing more holes.
  • by theflea ( 585612 ) on Friday May 16, 2003 @09:02AM (#5972057)
    After reviewing the arguments, I've concluded this is a good thing. Maybe even a necessary thing. Here's why:

    Have you ever tried to explain to an end user what a virus is and how it works? Few have a decent understanding of what viruses are all about. Even folks with a technical background have a hard time keeping up with them, and knowing all the types.

    As operating systems and viruses get more complicated, this gap will only get wider. I saw that article/paper arguing that as computers becom almost biological in complexity, they must be able to fix their own minor problems. Same type thing.
  • by aztektum ( 170569 ) on Friday May 16, 2003 @09:22AM (#5972191)
    until the Pfizer worm comes around and then we're all in for a hard time

    i got nothin' this morning
  • by Monofilament ( 512421 ) on Friday May 16, 2003 @10:22AM (#5972786) Homepage Journal
    Ok .. i don't know much about Fizzer.. but if its keeping itself alive by self updating off of a geocities site, AND WE KNEW THIS. Why the hell didn't geocities just take the site off?

    I mean I can't even link a picture from geocities to another site.. but Geocities lets this worm update itself from something on the webpage?

    Even past that i saw something mentioned about bandwidth.. if Fizzer is that bad wouldn't its constant updating overload the free bandwidth from the geocities site?

    Educate me please.. I'm kinda confused here.
  • by nounderscores ( 246517 ) on Friday May 16, 2003 @10:29AM (#5972884)
    as secolactico (UID:519805) pointed out, Fizzer could be upgradeded to a Curious Yellow class worm.

    And I worked out how to kill it in a post in the Curious Yellow Discusion [slashdot.org].

    subsequent posters suggested that designing a worm using crypto and a truly distributed archetecture would make us a lot less smug in future.

    we've been warned folks. What are we going to do about it?
  • by dougnaka ( 631080 ) on Friday May 16, 2003 @10:39AM (#5973000) Homepage Journal
    For those of you who are not familiar Code Green was an anti-code red listener that would automatically connect to an attacking code red infected server and clean it up. link to news story about code green [vnunet.com] People in the "security community" were inflamed, and the general consensus was that this was illegal, and many people, myself included, decided not to install code green. Now, code red attacks are still common in my server logs..

    Looks like it's better to ask forgiveness than seek permission.

  • by Luzumsuz Lazim ( 603227 ) on Friday May 16, 2003 @10:53AM (#5973157)
    Well, the next time, the author of the worm will probably be more careful in writing the code that executes the update package which is SIGNED by her private key. So, this kind of (elegant) solution won't do the trick...
  • by AnotherBlackHat ( 265897 ) on Friday May 16, 2003 @01:07PM (#5974356) Homepage
    They should have taken over this one [microsoft.com] ;)

    -- this is not a .sig

Our policy is, when in doubt, do the right thing. -- Roy L. Ash, ex-president, Litton Industries

Working...